There have been a bunch of interesting articles in recent weeks that highlight the rapid expansion of Google’s Android operating system from phones and tablets to all kinds of intelligent devices. They beg the question: is Android becoming the Microsoft Windows of the fast-emerging “Internet of Things.” And, if so, we might ask: ‘What are the security implications of that?’
First the skinny on Android’s growing dominance of the intelligent device sector. Ashlee Vance over at Businessweek.com delved into that with an article “Behind the Internet of Things is Android – and its everywhere.” Vance makes the point that Android is not only the choice for 75% of the handset makers these days – it’s also become the OS of choice for anyone making anything with a processor and a networking stack.
The effect of that is akin to what Microsoft encountered when Windows went from being just another PC operating system to – in essence – the only PC operating system in the early 1990s. To quote Vance:
“While iPhones and iPads come in very few versions and only from Apple, Android-powered mobile hardware of all shapes and sizes and brands has flooded the marketplace. The companies that build components have had to scramble to make sure everything they make functions well with all those gadgets. The result is a huge and growing number of hardware makers and software companies becoming expert in all things Android. ‘Every screen variant, mobile chip, and sensor known to man has been tuned to work with Android,’ (Linux Foundation executive director Jim), Zemlin says. ‘There’s this network effect, so that now anyone who wants to make a custom product can take Android and morph it into anything.’”
The big question isn’t whether Android will “win” the Darwinian contest between mobile operating systems, but whether an Android monoculture will lead to the same kinds of problems we saw with the Windows monoculture, namely: widespread attacks that rely on exploits of vulnerabilities in core components of the OS.
The stakes here are high. Microsoft claims 1.3 billion Windows users worldwide and still powers the vast majority of PCs, but Android is set to pass the billion user mark this year, and to overtake Windows total user base sometime before 2016. And, because Android is open source and its applications are much broader than those of Windows, any vulnerabilities and exploits of those will be felt far and wide. Think “Windows Help and Support Center” (CVE-2010-1885) running on everything from your car to your coffee maker.
This isn’t just theoretical. There is already ample evidence that cyber criminal activity is coalescing around Android. The security firm Symantec in its latest Internet Security Threat Report. The Cupertino antivirus firm reported that, of 108 new malicious programs for mobile devices identified in 2012, more than 95% (103) targeted Android devices, compared to just one mobile threat targeted Apple’s iOS operating system during the same period.
Malicious activity directed at Android mobile devices doesn’t correlate with Android’s global market share, and it correlated negatively with the availability of exploitable vulnerabilities on Android. In fact, Apple’s iOS was the source of almost all the documented mobile application vulnerabilities among the mobile platforms – 93% or 387 of 415 documented vulnerabilities across all mobile platforms. (I wrote more about this and its implications in a post on Veracode’s blog.)
A more likely explanation is that Android is the target because of its growing installed base, and because Google’s policy to ‘let a thousand flowers bloom’ has created an environment that’s beneficial to malware authors. Importantly: Android devices can synch with any number of third-party application marketplaces, many of which are rife with malicious programs, or compromised versions of legitimate apps. And, unlike Apple, or even Microsoft in the darkest days of the Windows worms, Google lacks the ability to push security fixes directly to vulnerable devices, complicating the prompt distribution of critical patches. In fact, only 28% of Android devices run the most recent version of the operating system, while almost 40% are running “Gingerbread,” a two-year old version of the OS that has known vulnerabilities. In contrast, more than 90% of iOS devices have updated to the latest version of that operating system.
This isn’t to say that monocultures are bad per se. Nor am I suggesting that Android is exposed in the same way that Windows was. After all, Windows’ roots are in a pre-Internet era, and Microsoft had a yeoman’s work to engineer its way around some core assumptions that went into Windows’ design, but proved to be big headaches. Android has no such issue, and – to date – most of the security problems facing Android have come in the form of malicious apps installed (willingly) by users, not through exploits of OS vulnerabilities.
Rather, the point is that the rapid adoption and application of Android as an OS obscures some concerning problems about the ability to manage the security of the OS. At the end of the day, there’s really no precedent for the kind of environment that may emerge in the next five years, with one operating system running not just personal computers, but a whole range of other devices – some of them consumer oriented (coffee makers, automobiles, yard sprinklers), some of them “critical infrastructure,” such as manufacturing. A growing number of them may fall somewhere in between those two poles, like the Android-based personal satellites being worked on by the folks at NASA’s Ames research lab.
What is clear: without more energy and attention to the new security problems created by the fast-evolving Internet of Things, we could be headed for a rude awakening. That’s the point that Intel executive Andy Thurai makes in a recent opinion piece. The Internet of Things, he says, necessitates an entirely new security model, not just reapplication of the security model developed for the PC world. “The thing that scares me the most is the underlying threat to all of the above technologies when you try to fit them into the older security model,” he wrote in an article on the Web 2.0 Journal.